Bug 270823 - print/ghostscript9-agpl-base: please check for CVE-2023-28879
Summary: print/ghostscript9-agpl-base: please check for CVE-2023-28879
Status: Closed FIXED
Alias: None
Product: Ports & Packages
Classification: Unclassified
Component: Individual Port(s) (show other bugs)
Version: Latest
Hardware: Any Any
: Normal Affects Many People
Assignee: Matthias Andree
URL: https://artifex.com/news/critical-sec...
Keywords: security
Depends on:
Blocks:
 
Reported: 2023-04-13 19:32 UTC by Matthias Andree
Modified: 2023-05-01 17:30 UTC (History)
8 users (show)

See Also:
mandree: maintainer-feedback-
mandree: merge-quarterly+


Attachments
Upstream's patch and a portrevision bump (2.02 KB, patch)
2023-04-22 18:08 UTC, Nicholas Taylor
no flags Details | Diff
Proof of concept for CVE-2023-28879 (1.49 KB, application/postscript)
2023-04-23 10:55 UTC, Nicholas Taylor
no flags Details
Patch to update ghostscript9-agpl-x11 PORTREVISION (394 bytes, patch)
2023-04-23 23:11 UTC, George Mitchell
no flags Details | Diff
Modify vulndb to account for fixes in this PR (1.15 KB, patch)
2023-04-27 22:40 UTC, Nicholas Taylor
no flags Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Matthias Andree freebsd_committer freebsd_triage 2023-04-13 19:32:29 UTC
Hiroki-san,

please check if you need to apply https://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff_plain;h=37ed5022cecd584de868933b5b60da2e995b3179;hp=afec45259049d3940abb0134c67abf8869123b74 for Ghostscript9 ports - the patch would apply cleanly.

If that is the way forward for ghostscript9, please also update the range in the vulndb entry - we already have one for ghostscript10.

I am about to mark ghostscript7 and 8 FORBIDDEN on main.
Comment 1 Nicholas Taylor 2023-04-22 18:08:17 UTC
Created attachment 241660 [details]
Upstream's patch and a portrevision bump

This is the patch Matthias linked to, formatted for ports.  It builds fine with poudriere testport on FreeBSD 12.4 on amd64, but that's the extent of the testing I've done.
Comment 2 George Mitchell 2023-04-22 19:44:03 UTC
I can confirm that ghostscript9-agpl-base compiles and runs successfully on 13.1-RELEASE-p7.  However, I don't know how confirm whether the patch fixes the CVE.  And if we take the current vuln.xml entry for CVE-2023-28879 at face value, upgrading to anything less than 10.01.0 won't fix the vulnerability.

Also, ghostscript9-agpl-x11 RUN_DEPENDS on ghostscript9-agpl-base, so does this patch take care of the vulnerability for the x11 version also?  Should the x11 version's PORTREVISION be bumped as well?
Comment 3 Nicholas Taylor 2023-04-22 22:17:39 UTC
(In reply to George Mitchell from comment #2)

I found a decent writeup of the bug at https://offsec.almond.consulting/ghostscript-cve-2023-28879.html and if no-one beats me to it I'll try some of their proofs of concept as a test case.

I think the vulndb data for this bug is incorrect; looking at https://git.ghostscript.com/?p=ghostpdl.git;a=shortlog;h=refs/tags/ghostpdl-10.01.1 it seems version 10.01.0 was released before the fix, i.e. is still vulnerable.  My reading of https://vuxml.freebsd.org/freebsd/25872b25-da2d-11ed-b715-a1e76793953b.html is that version 10.01.0 will be erroneously considered fixed.

I'm not sure how FreeBSD as a whole feels about backporting security fixes; personally I'd prefer to do that and mark ghostscript9-agpl-base >= 9.56.1_10 as not affected, than get more than eighty ports to update to using ghostscript10.  I am very new here, though.

I think you're right that ghostscript9-agpl-x11 will need a PORTREVISION bump.  I'm not certain, and I'll do some testing to find out.  If you are certain, then please bump it.
Comment 4 commit-hook freebsd_committer freebsd_triage 2023-04-23 09:37:09 UTC
A commit in branch main references this bug:

URL: https://cgit.FreeBSD.org/ports/commit/?id=e73586a6d60ae9695b97962977807af6889b1525

commit e73586a6d60ae9695b97962977807af6889b1525
Author:     Matthias Andree <mandree@FreeBSD.org>
AuthorDate: 2023-04-21 18:09:19 +0000
Commit:     Matthias Andree <mandree@FreeBSD.org>
CommitDate: 2023-04-21 18:09:19 +0000

    security/vuxml: fix up ghostscript version range of CVE-2023-28879

    Pointy hat to:  mandree@ for misreading the quoted Artifex page
    Reported by:    Nicholas Taylor <nicholas.e.taylor@gmail.com>
    PR:             270823 (comment #3)
    Security:       CVE-2023-28879
    Security:       25872b25-da2d-11ed-b715-a1e76793953b

 security/vuxml/vuln/2023.xml | 21 +++++++++++----------
 1 file changed, 11 insertions(+), 10 deletions(-)
Comment 5 Matthias Andree freebsd_committer freebsd_triage 2023-04-23 09:38:01 UTC
Nicholas, 

thanks for pointing out that I botched the vulndb entry 🙈. Corrected.
Comment 6 Nicholas Taylor 2023-04-23 10:55:57 UTC
Created attachment 241671 [details]
Proof of concept for CVE-2023-28879

I think (but note I am not an information security professional) that the attached postscript, cobbled together from https://offsec.almond.consulting/ghostscript-cve-2023-28879.html and https://github.com/AlmondOffSec/PoCs/blob/master/Ghostscript_rce/debian_10.0.0.ps , should exercise this bug.

Good output (i.e. not vulnerable):
% gs poc.ps
GPL Ghostscript 9.56.1 (2022-04-04)
Copyright (C) 2022 Artifex Software, Inc.  All rights reserved.
This software is supplied under the GNU AGPLv3 and comes with NO WARRANTY:
see the file COPYING for details.
4848484848484848

Bad output (i.e. vulnerable):
% gs poc.ps
GPL Ghostscript 9.56.1 (2022-04-04)
Copyright (C) 2022 Artifex Software, Inc.  All rights reserved.
This software is supplied under the GNU AGPLv3 and comes with NO WARRANTY:
see the file COPYING for details.
0000000803E21C57
Bus error (core dumped)

Note that the eight bytes of hex just before the bus error in the bad output are heap content and may be different on your machine; I was using ghostscript9-agpl-base-9.56.1_8 from packages for the bad output.
Comment 7 Nicholas Taylor 2023-04-23 11:06:51 UTC
(In reply to Matthias Andree from comment #5)
Related: I wish CVEs would stop using "through" when "up to and including" is clear and unambiguous.  It took me an embarrassingly long time to check that.
Comment 8 Matthias Andree freebsd_committer freebsd_triage 2023-04-23 11:45:08 UTC
Oh yes. Colloquial language is unsuitable for technical specifications.  And don't get me started on people confusing trigonometric functions (sec) with time quantities (s). But those are other items on the wish list.  

The first item was having your FreeBSD committer "write proper vulnerable versions range" into the VuXML item and use the _fixed_ version in the less-than (but-not-equal) relation.  Sorry again.
Comment 9 Trond Endrestøl 2023-04-23 17:18:36 UTC
I would suggest PORTREVISION also be bumped for print/ghostscript9-agpl-x11. The VuXML data must thus recognize 9.56.1_10 (base) and 9.56.1_1 (x11) as fixed.
Comment 10 George Mitchell 2023-04-23 23:11:34 UTC
Created attachment 241690 [details]
Patch to update ghostscript9-agpl-x11 PORTREVISION

(In reply to Trond.Endrestol from comment #9)
Here's a patch to update ghostscript9-agpl-x11's PORTREVISION.  It compiles.
Comment 11 Nicholas Taylor 2023-04-24 10:24:53 UTC
Okay (at this stage mostly for my own education, if George Mitchell and Trond.Endrestol both think print/ghostscript9-agpl-x11 needs bumping they are probably right):

1. Bumping the portrevision of print/ghostscript9-agpl-base doesn't force a reinstallation of print/ghostscript9-agpl-x11.

2. print/ghostscript9-agpl-x11 just installs the X11 device for Ghostscript:
% pkg info -l ghostscript9-agpl-x11
ghostscript9-agpl-x11-9.56.1:
        /usr/local/lib/ghostscript/9.56.1/X11.so
        /usr/local/share/licenses/ghostscript9-agpl-x11-9.56.1/AGPLv3
        /usr/local/share/licenses/ghostscript9-agpl-x11-9.56.1/LICENSE
        /usr/local/share/licenses/ghostscript9-agpl-x11-9.56.1/catalog.mk

3. Fixing CVE-2023-28879 for print/ghostscript9-agpl-base fixes it for a system on which print/ghostscript9-agpl-x11 has not been updated:
Before (stock ports tree):
% pkg info | grep ghostscript9
ghostscript9-agpl-base-9.56.1_9 PostScript and PDF interpreter
ghostscript9-agpl-x11-9.56.1   PostScript and PDF interpreter, X11 support

% gs -sDEVICE=epson poc.ps
GPL Ghostscript 9.56.1 (2022-04-04)
Copyright (C) 2022 Artifex Software, Inc.  All rights reserved.
This software is supplied under the GNU AGPLv3 and comes with NO WARRANTY:
see the file COPYING for details.
000000080404CFD7
Bus error (core dumped)

After applying attachment #241660 [details] [1] but not attachment #241690 [details], and rebuilding with poudriere:
# pkg update
...
# pkg upgrade
...
Installed packages to be UPGRADED:
        ghostscript9-agpl-base: 9.56.1_9 -> 9.56.1_10
        libxml2: 2.10.3_2 -> 2.10.4
...

% gs -sDEVICE=epson poc.ps
GPL Ghostscript 9.56.1 (2022-04-04)
Copyright (C) 2022 Artifex Software, Inc.  All rights reserved.
This software is supplied under the GNU AGPLv3 and comes with NO WARRANTY:
see the file COPYING for details.
4848484848484848

4. I don't think an unpatched X11 Ghostscript device can reintroduce this vulnerability (it's in the Postscript interpreter) but I am currently having trouble forwarding X from the testing jail in a way Ghostscript will believe.  This is due to my past poor decisions and I'll fix it, it's just taking a while.

[1] And attachment #241552 [details] from bug #270906 which was lurking in my "ahead-of-stock" ports tree; I don't think it affects the results.
Comment 12 George Mitchell 2023-04-24 14:44:58 UTC
(In reply to Nicholas Taylor from comment #11)
I'm really not sure it's necessary to bump ghostscript9-agpl-x11's PROTREVISION, but I thought I'd provide the trivial patch in case it was needed.  If the vulnerable code is entirely inside ghostscript9-agpl-base, then changing the x11 port probably in unneeded.
Comment 13 Trond Endrestøl 2023-04-24 16:32:12 UTC
(In reply to George Mitchell from comment #12)
Then the -x11 port shouldn't be mentioned in the VuXML data. It's a “passive port.”
Comment 14 Nicholas Taylor 2023-04-27 22:40:13 UTC
Created attachment 241800 [details]
Modify vulndb to account for fixes in this PR
Comment 15 Nicholas Taylor 2023-04-27 22:47:49 UTC
Okay, after overcoming past poor decisions I was able to test the behaviour of a patched ghostscript9-agpl-base with an unmodified ghostscript9-agpl-x11.  To nobody's very great surprise, this combination is not vulnerable.

So, please could attachment #241800 [details] and attachment #241660 [details] be applied as patches to the ports tree?  The first marks ghostscript9-agpl-base 9.56.1_10 as fixed and removes all mention of ghostscript9-agpl-x11.  The second patches ghostscript9-agpl-base and bumps its portrevision to 10.

I now notice that I did not mark attachment #241800 [details] as a patch, for which I apologise.
Comment 16 Matthias Andree freebsd_committer freebsd_triage 2023-04-28 14:12:36 UTC
So, Hiroki being apparently distracted because I haven't seen things, I am claiming maintainer timeout (15d) and commandeering this ticket.
Comment 17 commit-hook freebsd_committer freebsd_triage 2023-04-28 14:25:31 UTC
A commit in branch main references this bug:

URL: https://cgit.FreeBSD.org/ports/commit/?id=6ff53aa124d487f75e4bcdc2267f15acdc72f523

commit 6ff53aa124d487f75e4bcdc2267f15acdc72f523
Author:     Nicholas Taylor <nicholas.e.taylor@gmail.com>
AuthorDate: 2023-04-28 14:16:35 +0000
Commit:     Matthias Andree <mandree@FreeBSD.org>
CommitDate: 2023-04-28 14:20:38 +0000

    print/ghostscript9-agpl-base: add patch to fix CVE-2023-28879

    and bump PORTREVISION. vulndb update in upcoming separate commit.

    Security:       CVE-2023-28879
    Security:       25872b25-da2d-11ed-b715-a1e76793953b
    PR:             270823
    MFH:            2023Q2
    Approved by:    hrs@ through maintainer timeout, 15d

 print/ghostscript9-agpl-base/Makefile              |  2 +-
 .../files/patch-base_cbcp.c (new)                  | 23 ++++++++++++++++++++++
 2 files changed, 24 insertions(+), 1 deletion(-)
Comment 18 commit-hook freebsd_committer freebsd_triage 2023-04-28 14:25:33 UTC
A commit in branch main references this bug:

URL: https://cgit.FreeBSD.org/ports/commit/?id=5f57c067b60fc17e8b848a8e698c60a92dc765ac

commit 5f57c067b60fc17e8b848a8e698c60a92dc765ac
Author:     Matthias Andree <mandree@FreeBSD.org>
AuthorDate: 2023-04-28 14:20:47 +0000
Commit:     Matthias Andree <mandree@FreeBSD.org>
CommitDate: 2023-04-28 14:20:47 +0000

    security/vuxml: Update ghostscript CVE-2023-28879 entry

    and mark ghostscript9-agpl-base 9.56.1_10 as fixed,
    and remove ghostscript9-agpl-x11 which does not seem to be
    using the vulnerable code.

    Security:       25872b25-da2d-11ed-b715-a1e76793953b
    Security:       CVE-2023-28879
    PR:             270823

 security/vuxml/vuln/2023.xml | 5 ++---
 1 file changed, 2 insertions(+), 3 deletions(-)
Comment 19 commit-hook freebsd_committer freebsd_triage 2023-04-28 14:28:34 UTC
A commit in branch 2023Q2 references this bug:

URL: https://cgit.FreeBSD.org/ports/commit/?id=840aa2982c3036f0e05e89420d34476ce593260c

commit 840aa2982c3036f0e05e89420d34476ce593260c
Author:     Nicholas Taylor <nicholas.e.taylor@gmail.com>
AuthorDate: 2023-04-28 14:16:35 +0000
Commit:     Matthias Andree <mandree@FreeBSD.org>
CommitDate: 2023-04-28 14:26:20 +0000

    print/ghostscript9-agpl-base: add patch to fix CVE-2023-28879

    and bump PORTREVISION. vulndb update in upcoming separate commit.

    Note I am bumping the branch to PORTREVISION=10 (not 9) as well so
    we have the fixed version on the same PORTREVISION, on branch
    and main line.

    Security:       CVE-2023-28879
    Security:       25872b25-da2d-11ed-b715-a1e76793953b
    PR:             270823
    MFH:            2023Q2
    Approved by:    hrs@ through maintainer timeout, 15d

    (cherry picked from commit 6ff53aa124d487f75e4bcdc2267f15acdc72f523)

 print/ghostscript9-agpl-base/Makefile              |  2 +-
 .../files/patch-base_cbcp.c (new)                  | 23 ++++++++++++++++++++++
 2 files changed, 24 insertions(+), 1 deletion(-)
Comment 20 Matthias Andree freebsd_committer freebsd_triage 2023-04-28 14:29:15 UTC
Nicholas, George, Trond, thanks for your support and work on this matter.
Comment 21 Matthias Andree freebsd_committer freebsd_triage 2023-04-28 14:35:17 UTC
Note it will take a while before the vuxml database update will have propagated.
Comment 22 Matthias Andree freebsd_committer freebsd_triage 2023-04-28 14:40:08 UTC
Comment on attachment 241800 [details]
Modify vulndb to account for fixes in this PR

So, the Bugzilla trick to get this marked as "patch" in hindsight is:
- in the table listing attachments, click on details in the right hand column
- then, on the new page with ...action=edit URL, you click the "Edit details", then you tick the "[ ] patch" checkbox, then you submit - which I am doing now, so it's easier to see the diff.

For me, it was easier to do the change manually per Trond's and Nicholas's findings, and I also needed to bump the "modified" XML tag, so I made the changes myself.
Comment 23 Nicholas Taylor 2023-04-28 15:09:54 UTC
(In reply to Matthias Andree from comment #22)
Ah, I see now, thank you.  And thank you for the support!
Comment 24 George Mitchell 2023-04-28 17:56:39 UTC
(In reply to Matthias Andree from comment #20)
You're welcome, but you did the real work!
Comment 25 George Mitchell 2023-05-01 17:30:07 UTC
It looks like the vuxml change has now propagated out into the real world and I am no longer receiving the nags about the problem.  Thank you!